Irish High Court rules on Facebook surveillance case ...

1 - Page 1 of 4 - Oct 3rd 2017 Irish high Court rules on Facebook surveillance case: Irish DPC has well founded concerns over US surveillance of Facebook EU-US data transfer complaint referred to European Court of Justice for a second time Warning: This is a highly complex case. At the end of this document you can find common misunderstandings . We did our best to provide a first summary below and we will update this document over the day [klick here for the most recent version]. Please also check @maxschrems for updates and statements. Quick Summary. Today the Irish high Court has released a 129 page judgement [PDF] on Facebook s EU-US data transfers in the light of US surveillance laws (like FISA 702 and EO ), as well as US surveillance programs disclosed by Edward Snowden (like PRISM and Upstream ).

2 The executive summary of the Judgement by the Court can be downloaded here. A first video statement by Max Schrems can be found here. The Court joined the view of Mr Schrems (who filed the original complaint against Facebook in 2013) and the Irish Data Protection Authority (DPC) that the absence of effective remedies in the United States may violate European fundamental rights under Articles 7, 8 and 47 of the European Charter of Fundamental Rights, when data is sent to the US. Regarding the type of US surveillance , the judgement holds: On the basis of this definition and the evidence in relation to the operation of the PRISM and Upstream programmes authorised under s.

3 702 of FISA, it is clear that there is mass indiscriminate processing of data by the Unites States government agencies. The Court found that the DPC has well-founded concerns that the SCC Decision by the European Commission (2010/87/EU) may be invalid. The Court further found, that the DPC may be able to suspend data flows under the SCCs in line with Article 4 of the SCC decision and Article 28 of Directive 95/46/EC (as argued by Mr Schrems, and in which case the invalidity issue may not arise). The high Court followed the DPC s wish to refer questions to the Court of Justice of the European Union (CJEU - the EU s top Court ).

4 The CJEU will clarify the legal implications of the facts found by the Irish Court for EU-US data transfers. The CJEU will be bound by the findings of fact by the Irish high Court . The exact wording of the questions will be decided in a second decision. Almost exactly two years ago (on October 6th 2015) Mr Schrems won a first reference to the CJEU in the same legal case between Mr Schrems and Facebook . The CJEU has stopped EU-US data sharing and invalidated the so-called Safe Harbor system (see C-362/14) in this first judgement. The same complaint will now be heard by the CJEU for a second time.

5 First Statement by Mr Schrems: I welcome the judgement by the Irish high Court . It is important that a neutral Court outside of the US has summarized the facts on US surveillance in a judgement, after diving through more than pages of documents in a five week hearing. Facebook seems to have lost in every argument they were making. Next Steps. The Court listed the case for mention on October 11th. The parties will be asked to agree on the precise questions that should be referred to the CJEU. The actual reference to the CJEU will - Page 2 of 4 - follow soon thereafter.

6 The case before the CJEU takes on average years. The previous reference to the CJEU to this took 1 year and 3 months. Facebook s EU-US data transfers. Facebook operates its international business outside of the United States and Canada via a separate company in Ireland called Facebook Ireland Ltd . 85,9% of all worldwide Facebook users (everyone except USA and Canada) are managed in Dublin (Link), which is understood to be part of Facebook s tax avoidance scheme. Facebook currently sends all user data to its parent company, Facebook Inc. in the United States for processing.

7 European law (Articles 25 and 26 of Directive 95/46/EC) requires that data can only be transferred outside of the EU if the personal data is adequately protected . This is in conflict with US mass surveillance laws, which Facebook Inc. in the USA is subject to. Max Schrems: In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that. As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run. Standard Contractual Clauses. EU law in principle prohibits all data transfers outside of the EU, where the strict EU privacy laws do not apply.

8 To still allow necessary data flows, there is a number of exceptions to this principle, that expand EU law through a B2B contract. One exception was Safe Harbor , which Facebook used before it was invalidated by the CJEU. Another exception are Standard Contractual Clauses ( SCCs , also called Model Clauses ) which a non-EU company can sign to receive data from the EU (official EU info page). Facebook is currently using SCCs between Facebook Ireland and Facebook Inc. [ Facebook s SCCs]. All contractual systems have an emergency clause built in (Article 4 of the SCCs). This clause allows the local data protection authority (the DPC in this case), to stop data flows, even if SCCs are in place, whenever there is a conflicting law in a foreign country (in this case US surveillance laws).

9 Positions of Parties. The three parties of the procedure took the following principle positions: Mr Schrems is of the view, that a targeted solution is available and a reference to the CJEU is not necessary. The Irish DPC could have used Article 4 of the Standard Contractual Clauses decision to stop the specific data sharing of Facebook only. Mr Schrems has never taken any issue with the system of Standard Contractual Clauses The Irish Data Protection Commissioner took the view that there is a larger, systematic issue concerning SCCs. The DPC took the view, that as the validity of the SCCs is at stake the case should therefore be referred to the CJEU.

10 Contrary to Mr Schrems view, the DPC felt, that it cannot utilize Article 4 of the SCCs, as this would be an unfair treatment of Facebook . Facebook Ireland Ltd. Facebook Inc. (USA) User Standard Contractual Clauses - Page 3 of 4 - Facebook was in substance of the view, that there is no problem concerning US surveillance laws. Consequently there is no need for a reference and Facebook does not violate EU fundamental rights by transferring data to the United States. It also took the position that, even if there would be a problem, US surveillance falls under the exception of EU law for national security.